crispinWIREX.COM

• Next message: Schockaert, Rudy: "Re: Securax Security Advisory: Windows98 contains a serious buffe r overflow with long filename extensions."
• Previous message: M.C.Mar: "Re: No-Exec Stack Smashing 101"
• In reply to: Granquist, Lamont: "Re: No-Exec Stack Smashing 101"
• Next in thread: Michael H. Warfield: "Re: No-Exec Stack Smashing 101"
• Reply: Crispin Cowan: "Re: No-Exec Stack Smashing 101"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Granquist, Lamont" wrote:

> Okay, lets say that you've got:
>
> 1. non-exec stack
> 2. libc remapped to location with 0x00 in it
> 3. statically linked executable, so no PLT functions
>
> And assume the bug is a simple buffer overflow in a string function which
> terminates on a 0x00 (i.e. ignore for the moment ways around a 0x00
> "canary")
>
> How can you get around that? Is there a more general way around non-exec
> stacks than return-into-PLT exploits?

It's 2 step:

  1. Inject your payload (code to do "exec(sh)" or equivalent) into some
     heap or static buffer (call it X). Note that you do *not* have to
     overflow buffer X, just give it a string that happens to be native
     instructions.
  2. Overflow the vulnerable buffer and point the code pointer at X.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
                  JOBS! http://immunix.org/jobs.html

• Next message: Schockaert, Rudy: "Re: Securax Security Advisory: Windows98 contains a serious buffe r overflow with long filename extensions."
• Previous message: M.C.Mar: "Re: No-Exec Stack Smashing 101"
• In reply to: Granquist, Lamont: "Re: No-Exec Stack Smashing 101"
• Next in thread: Michael H. Warfield: "Re: No-Exec Stack Smashing 101"
• Reply: Crispin Cowan: "Re: No-Exec Stack Smashing 101"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]